In addition to CSRF attacks, Sajax is particularly vulnerable to JavaScript hijacking
attacks. This vulnerability arises from two issues. First, Sajax sends data in JavaScript
format downstream to clients. Second, the type request type in Sajax is HTTP GET. These
two issues mean that developers will need to implement JavaScript hijacking protections
in their applications since by default, applications using the Sajax framework are
vulnerable to JavaScript hijacking.
Unintended Method Exposure
Popularity: 4
Simplicity: 6
Impact: 3
Risk Rating: 4
In the areas of other common exposures such as debug functionality and exposing
potentially sensitive methods, Sajax is less vulnerable than other frameworks. For example,
enabling debug functionality in Sajax results in a number of JavaScript alerts being generated
when the web application is used. For this reason, is it virtually impossible for a developer
to accidentally leave debugging functionality enabled on a production web application
using Sajax. In the case of exposing potentially sensitive methods in Sajax, at the time of
writing, it does not provide any automated way to add large numbers of methods to be
exposed.
Pages:
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338